0

I would like to limit a user to only two commands: cat and exit.
I've tried to edit visudo but it does not work.

My OS version is CentOS 8.

G-Man Says 'Reinstate Monica'
  • 22,130
  • 27
  • 68
  • 117
kdm.J
  • 11
  • @pLumo Apparently, it does not. The RHEL procedure is said to still permit all commands to be accessed using full path names, so is very flawed. – Paul_Pedant Sep 01 '20 at 10:51
  • If the user is in a shell, then restricting the available external commands is insufficient. All shell builtins (like cd), editing PATH or other environment, and all redirections are still available: `cat >> ~/.profile` for example, can be used to edit any restrictions you put in the user's login. And as the user has a terminal, he can use the menu to launch other terminals, and cut/paste to make edits of files. `cat` is also insufficient for use as a viewer, as a long document may need pagination to be readable. – Paul_Pedant Sep 01 '20 at 11:05
  • I won't post this as an answer because it is not tested -- might try it later today. /etc/passwd has an entry for which shell to run. I don't know if that could be a script. If it can (or you get a tiny C wrapper), you could just have it prompt for filenames, and print the data to the screen. Even accept one-key commands for forward, back, or a line number, and clip the appropriate section of the file with head and tail. When the passwd "shell" exits, the session gets closed automatially. The user never gets to see a real shell. – Paul_Pedant Sep 01 '20 at 11:34
  • thanks a lot, my users just normal level user not perfesonal – kdm.J Sep 01 '20 at 13:08
  • Do users connect remotely to the server (like ssh), or do they have physical access to the computer? – nobody Sep 01 '20 at 13:59
  • yes they can connect remotely – kdm.J Sep 02 '20 at 00:05
  • @Paul_Pedant Yes, it is possible to replace user's regular shell with a script or other program that provides a menu. You just need to satisfy the standard requirements: the program/script must be marked as executable, it must be listed in `/etc/shells`, and on systems with SELinux, it probably needs to have a SELinux label of appropriate type for executables. If the user finds some way to interrupt or exit the menu utility that has been started in this way, the login session will simply end right there. – telcoM Sep 02 '20 at 14:03

0 Answers0